Tag Archives: Technology

When does ‘Delete’ Really Mean Delete?

William Kellermann 
William Kellermann
July 27, 2016

In the words of the late, great Browning Marean[i]:  “The “Delete” key is the greatest lie on the keyboard.”  Unfortunately, this maxim was lost on a UK drug trafficker convicted, in part, on emails he thought were deleted from his Yahoo! email account.  In a motion for discovery filed in the federal district court for the Northern District of California, defense lawyers contend Yahoo! produced six months of deleted email, recovered even though Yahoo!’s own policies indicated otherwise.  Russell Knaggs v. Yahoo! Inc., U.S.D.C. ND-Cal., Case #15-MC-80281-MEJ

In the motion, the criminal defendant speculates the email was collected in violation of UK privacy laws, either through real-time interception or some nefarious NSA surveillance program, such as those exposed by Edward Snowden.  As such, the evidence was unlawfully collected and should be suppressed.

Unfortunately for the drug dealer, the source of the mail is likely much more mundane.  Unfortunately for Yahoo!, its explanation was tortured enough that the court ordered limited discovery, and a person-most-knowledgeable deposition.  The focus of the ordered discovery is a determination of the method Yahoo! used to gather the email data to provide to the government.

For anyone who has performed an in-depth analysis of enterprise email systems, to borrow from the words of Dean Wormer in “Animal House,” there is “deleted, double deleted and double-secret deletion.”  To remind the uninitiated, and using Microsoft Exchange and Outlook as a model, the typical deletion process for email goes something like this:

  1. Delete the message in the email reader software (in the Microsoft world, that would be Outlook.)  This step simply moves the message from the “Inbox,” or other folder in which it is held, to the “Deleted Items” folder.
  2. Delete the message from the “Deleted Items” folder.

Viola! The message is gone!  Or is it?  For most people that would be true.  However technologists, IT staff, email administrators, and electronic discovery practitioners know there is more.  Again, in the Microsoft Exchange environment, a copy of the message is retained in the email server “Deleted Items” cache (a/k/a the “Dumpster”) for a period of time.  This allows an administrator to recover mail inadvertently “double-deleted” by a user.  Many other email systems maintain a similar server-side cache of deleted messages for the same reason.  Until the parameters of the cache system are met, the message is recoverable by an administrator.

In the case of Microsoft Exchange, retention is date-driven.  However, other systems may be size-driven – that is content is not deleted from the server cache file until and unless it reaches a certain size.  At that time, older messages are overwritten to make room for newer messages in an updated version of the cache.  Until that time, the messages persist.

Further, most software used to recover, extract, and export messages typically capture, or provide options to capture, every message related to the user account, whether active, deleted, double deleted, archived or retained in the Dumpster.

Of course, further complicating matters, our drug dealer was using the Yahoo! mailbox as a form of message drop where communications were made using drafts of messages never sent.  One dealer would login to the account and create a draft of a message.  The intended recipient would then login to the same account, read the draft and respond, by either overwriting the prior draft or deleting the draft and creating a new draft.  However, as with any good messaging system seeking to save users from themselves, drafts are “auto-saved” periodically.

Yahoo!’s prior responses and the court’s order gets bogged down in a discussion of when and how auto-save works which, while important, ignores the heart of the matter.   Yahoo! never clearly explains how auto-saved drafts might be retained in either “Draft” or “Archive” folders until deleted, double deleted and purged from the server cache or “Dumpster.”

While the outcome of the purported fishing expedition into Yahoo!’s email practices may never be published due to protective orders, it is more likely than not the source of the offending messages will be the digital analog of a time honored, traditional law enforcement investigative method:  Dumpster diving.

[i] Browning Marean, an attorney with DLA Piper, was known to many in the electronic discovery world as the “Godfather of eDiscovery.”  A prolific speaker, writer and general litigation raconteur, he described the litigation electronic discovery process in ways no one else could, then or since.

President Obama Presents Cybersecurity Action Plan

Everett Monroe 
Everett Monroe
February 9, 2016

Today President Obama unveiled his new Cybersecurity National Action Plan as part of his 2017 budget proposal to Congress. The Plan has a broad scope designed to address many of the cybersecurity issues that gained high visibility in 2015. In particular, the Plan focus on issues with Federal cybersecurity infrastructure: modernizing antiquated software and systems vulnerable to cyber attacks, developing uniform cybersecurity practices, and developing best practices for Federal agencies to follow in managing both data security and data privacy.

A strong piece of the Plan involves the Commission on Enhancing National Cybersecurity, which the President established today by executive order. The President will appoint up to twelve people to the Commission, with recommendations from Congressional leadership. The Commission will issue a report before the end of the year making recommendations in a number of cybersecurity areas including IT procurement and modernization practices, best practices for networking security, and cybersecurity risk management for Federal agencies, as well as for business and consumers. The Plan also explains implementation of Commission recommendations.

Continue reading President Obama Presents Cybersecurity Action Plan

California Updates Its Data Privacy And Security Laws For 2016

Everett Monroe 
Everett Monroe
October 20, 2015

The end of the first year of California’s legislative session brings several bills that modify California’s data privacy and security regime. A number of these bills expand California’s protections for personal information and will affect how California businesses and government agencies protect, use, and disclose the data they collect. The bills will go into effect January 1, 2016.

Three new laws modify California’s data breach notification statute:

AB 964 defines “encrypted” information as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The new law provides a definition of encryption similar to that used by HIPAA. Notification to consumers is not required if only encrypted data is breached.

SB 570 mandates that data breach notices sent to California residents have specific titles that are clearly and conspicuously in the notice, and the body of the notice can be in no less than 10 point font. It also provides an optional model form.

SB 34 includes Automatic License Plate Reader (“ALPR”) data in the personal information definition of the data breach statute, which means that ALPR operators would have to provide notice to California residents if they experience a data breach. This law also requires ALPR system operators to publish a privacy policy.

Continue reading California Updates Its Data Privacy And Security Laws For 2016

European Court Of Justice Rules US-EU Safe Harbor Invalid

Everett Monroe 
Everett Monroe
October 9, 2015

This week the European Court of Justice issued a judgment in the case of Maximillian Schrems v. Data Protection Commissioner finding that the US-EU Safe Harbor is invalid for failing to provide adequate limitations on data processing for national security purposes.

The US Department of Commerce and the European Commission negotiated the Safe Harbor framework to provide adequate privacy protections for the personal information of European data subjects transferred to businesses in the United States. US companies participating in the Safe Harbor self-certified to the Department of Commerce that they would abide by seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.

The decision from the European Court of Justice removes this protection for US businesses seeking to transfer data from European entities and individuals. The judgment also increases the obligations on national data protection authorities to more closely monitor the adequacy of data transfer mechanisms and to depend less on the European Commission’s authority. Businesses in the US participated in the Safe Harbor to get approval to transfer data out of Europe without seeking approval from each individual EU country. It removed the need to get 28 different approvals for Europe wide business transactions, and protected cloud service providers from being forced to maintain separate European servers. It eased the way for cooperation between US and EU businesses, and lowered barriers for data transfers between US companies and their European subsidiaries.

Responses from US regulatory authorities have been guarded. The Chairman of the Federal Trade Commission, the primary enforcement body for the Safe Harbor in the United States, issued a short statement that “we will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.” The Department of Commerce expressed deep disappointment in the decision and called for an expedited release of the Updated Safe Harbor Framework, noting that it is prepared to work with the Commission to address uncertainty created by the Court’s decision. Meanwhile, the Article 29 working group, a body made up of the national data protection authorities and representatives from EU governing institutions, announced a meeting this week to consider what guidance to provide European and United States organizations in the wake of the decision.

Continue reading European Court Of Justice Rules US-EU Safe Harbor Invalid

With data privacy, you better do what you say you are doing

Everett Monroe 
Everett Monroe
September 28, 2015

Enforcement actions relating to data privacy often get enforced by administrative agencies under State and Federal Unfair Competition Laws. Enforcement actions against companies that fail to meet their commitments to consumers are a common occurrence.

Comcast’s recent $33,000,000 settlement with the California Attorney General is a good example of how state agencies will take administrative action against companies who tell customers one thing and then do something else. Between 2010 and 2012, Comcast mistakenly published the directory information of VoIP customers that had paid Comcast not to list them. The first cause of action in the complaint against Comcast was for a violation of California’s unfair competition law: Comcast broke its promise to its customers that it would not publish directory listing information.

The Federal Trade Commission often uses its enforcement authority over unfair and deceptive business practices to pursue companies that do not fulfill their privacy commitments. A recent example of this is the Commissions complaint against Nomi Technologies. Nomi Technologies tracked mobile devices in participating retail locations, which could generate data on the duration and frequency of customers entering the location and their shopping habits. The FTC’s complaint alleged that Nomi failed to meet two commitments: (1) that customers would be informed as to which retail locations used Nomi’s service, and (2) that customers would be able to opt out of the tracking at the participating retail locations. The FTC obtained a 20-year monitoring agreement over Nomi.

A recent FTC update shows a group of thirteen companies caught claiming that they were certified under the US-EU Safe Harbor in their privacy policies when, in fact, their certifications had lapsed or they were not certified at all. Another group of six companies faced similar charges in 2009.

Intentional wrongdoing is not the centerpiece of these charges. The Comcast complaint alleges that the disclosures were the result of a technical mistake, and the Nomi Complaint does not claim that the company was intentionally deceiving consumers. Regardless, these agencies have made it clear that companies will be held responsible for failing to keep commitments they make to the public.

US/EU “Safe Harbor” Agreement Ruled Invalid By EU Judge

William Kellermann 
William Kellermann
September 23, 2015

In an influential opinion published September 23, 2015, European Court of Justice (ECJ) Advocate General Yves Bot recommended the ECJ find the US/EU “Safe Harbor” Agreement invalid.   The 40-page ruling provides a preliminary victory for Austrian law student and privacy advocate Maximillian Schrems, but stands to cast the data transfer practices of many companies into turmoil.

The case stems from Shrems’ crusade against the data privacy and data transfer practices of Facebook in light of Edward Snowden’s revelations about the US National Security Agency’s Prism data surveillance program.  Shrems sued Facebook in Ireland, where it locates its servers for services to it’s EU user-base.  The High Court of Ireland referred the matter to the ECJ for a preliminary ruling.

While Bot’s ruling is preliminary, subject to confirmation by the ECJ and would only be directly binding as to Facebook, the recommendations found in Bot’s opinion upend many commercial practices regarding data transfer from the EU to US-based servers.  While the NSA’s Prism program targeted the data transfers of nine internet companies, such as Microsoft, Google, Apple, Facebook, etc. the unraveling of the Safe Harbor agreement could have far-reaching effects on any company with EU operations sending data about EU citizens, including employees, to the US.

The case is  Maximillian Schrems v Data Protection Commissioner, Case # C‑362/14, pending in Luxembourg.

Court: No expectation of privacy in a pocket-dialed conversation

William Kellermann 
William Kellermann
July 27, 2015

Two steps forward, one step back.  In the introduction to a law review article entitled “Emerging Changes in the Practice of Law,” USC Law Center professor Louis M. Brown wrote of the “Fable of the Telephone.”  Essentially, the story goes that back in 1878, white-shoe New York law firms resisted use of the telephone in their law offices because there was no protection for client confidentiality in the age of the party line.[i]  When clients demanded access to telephones, pay phones were installed in the lobby.  It would be many years before the expectation of privacy was established in the law for telephone conversations and more than 100 years before the last commercial party lines were eliminated in the US.

The same late 19th century lawyers also rejected the typewriter (there was no precedent upholding the legal validity of documents created on a typewriter) and female legal secretaries (because of the prevailing view women gossiped too much and would constitute a threat to the confidentiality of office communications.)  How times have changed.  Nevertheless, with respect to the telephone, there is a kernel of truth in the concerns of those luddite lawyers (all men, by the way).

Fast forward to the 2014 holiday season and the proliferation of “Smart Televisions.”  The press was replete with dire warnings of the anti-privacy effect of voice recognition and control, based on this statement in a privacy policy:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party…”  Samsung Privacy Policy – Smart TV Supplement

Put simply, if you want to use voice recognition to control your TV, you consent to having everything said in front of your TV recorded and uploaded to Nuance, the third-party company providing voice recognition services to Samsung.  See Not in front of the telly: Warning over ‘listening’ TV  BBC News, 9 February 2015.

So it should come as no surprise when the Sixth Circuit Court of Appeals recently held that there is no expectation of privacy in a conversation inadvertently transmitted to a third-party by what the court called a “pocket dial.”  Bertha Huff, et al. v. Carol Spaw, 2014 U.S.App. LEXIS 12538; 2015 FED App. 0157P (6th Cir. – July 21, 2015).

Continue reading Court: No expectation of privacy in a pocket-dialed conversation

Baseball Rivalry Takes the Low Road In Potential Data Hack

William Kellermann 
William Kellermann
June 16, 2015

Step aside Video-gate and Deflate-gate. Baseball inter-team rivalry has taken a new turn to the dark side. In the first known case of corporate espionage involving sports teams, the St. Louis Cardinals are under investigation for hacking the corporate network of the Houston Astros. The F.B.I. and Justice Department prosecutors are investigating whether one of the most successful teams in baseball over the past two decades hacked into internal networks of a rival team to steal closely guarded information about player personnel. Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built.

Of all teams to hack, why the Astros? The motive appears to be revenge executed by front-office employees against a former colleague. Astros general manager Jeff Luhnow was a highly successful executive with the Cardinals until 2011. At St. Louis, Luhnow built a computer network called Redbird housing databases of all the Cardinal’s baseball operations information, including scouting reports and player personnel information. Luhnow used the databases to create the best minor league system in baseball and engineer a “Moneyball” style re-tooling leading to the Cardinal’s 2011 World Series championship. After leaving to join the Astros, Luhnow created a similar program in Houston known as Ground Control. Under Luhnow, the Astros have accomplished a striking turn-around, now leading the American League West.

Continue reading Baseball Rivalry Takes the Low Road In Potential Data Hack

How A Data Breach Led To A ‘Billboard Bomb’

William Kellermann 
William Kellermann
May 22, 2015

On Saturday, May 9, 2015 a bomb went off at a busy intersection of the affluent Atlanta suburb of Buckhead. Nobody was killed or physically injured, so you probably didn’t read or hear about it with your Sunday morning coffee. But both the FBI and Homeland Security are investigating the incident. The “bomb” has come to be known as the “Buckhead Billboard Bomb.” The incident reflects the ever-growing need for businesses large and small to pay attention to data security.

The Buckhead Billboard Bomb resulted when a hactivist group calling itself Assange Shuffle Collective accessed a web-connected digital billboard to display an obscene pornographic image to passers-by at the intersection of Peachtree and East Paces Ferry roads. The software running the billboard had no system security in place and, worse yet, a cyber-security expert had warned the company it was vulnerable. The billboard company responded “not interested…” to the expert’s offer to assist.

Continue reading How A Data Breach Led To A ‘Billboard Bomb’

Two Federal Cybersecurity Bills Move Forward

Eric Junginger 
Eric Junginger
April 23, 2015

At the White House Summit on Cybersecurity and Consumer Protection at Stanford University on February 13, 2015, President Obama called for a single national data breach standard and for improved information sharing about threats to America’s technology infrastructure between government and the private sector. In the past two months, Congress has responded with multiple bills to address these pressing issues.

First, the Data Security and Breach Notification Act of 2015 was passed by the House Energy and Commerce Committee on April 15, and was sent to the House floor. The Act would set a single national standard for data breach notification that would be enforced by the Federal Trade Commission (“FTC”) and the states’ attorneys general, and would preempt state data security and breach notification statutes. While the Act made it out of committee, the vote was along party lines, including a no vote from the Act’s Democratic co-sponsor.

Continue reading Two Federal Cybersecurity Bills Move Forward